SAP issued a statement last week to disclose security lapses in several cloud products including SAP Cloud Platform, SAP Analytics Cloud, SuccessFactors, and Concur. According to the statement, the disclosure was prompted by an internal security review. SAP does not believe customer data has been compromised as a result of the issues. The lapses impact 9% of the company’s 440,000 customers.
The announcement is expected to dampen customer support for digital transformation initiatives intended to shift the hosting of SAP applications from on-premise data centers to cloud providers.
SAP also announced that the organization is updating security-related terms and conditions for its cloud solutions. In response to concerns that such changes may be intended to reduce SAP’s legal risk for security issues and shift more responsibility for security to customers, SAP declared that the terms and conditions will “remain in line with market peers”.
Furthermore, SAP denied any link between the announcement and security breaches attributed to the Cloud Hopper hacking campaign. Cloud Hopper successfully exfiltrated sensitive data from multiple organizations by penetrating HPE’s cloud computing service. The campaign is suspected to be sponsored by the Chinese Ministry of State Security.